Implementing Azure Firewall and Azure Bastion – Securing Access to Virtual Networks

2024-04-102024-04-10| Zoe PetersonImplementing Azure Firewall and Azure Bastion – Securing Access to Virtual Networks| 0 Comment| 9:06 AM
Categories :

Implementing Azure Firewall and Azure Bastion

Let’s have a look at Azure Firewall and the different SKUs available and what functionality they have.

Azure Firewall

When it comes to networking in Azure, NSGs are considered a basic-level firewall. However, sometimes a solution is required that has more granular control over traffic, or a smarter firewall is required; this is where Azure Firewall shines.

Azure Firewall has three main policies that can be configured:

  • A Network Address Translation (NAT) rule: This is used to translate the firewall’s public IP address and port to a private IP address and port.
  • A network rule: This has the same rules as NSGs but has additional features, such as being able to create rules based on fully qualified domain names (FQDNs) instead of just using IP addresses.
  • An application rule: This isused to allow or deny traffic based on specific applications that are based on FQDNs.

The following diagram shows how rules in Azure Firewall are processed based on rule type:

Figure 15.9 – Azure Firewall rule processing

It is important to understand rule processing within Azure Firewall, especially in troubleshooting scenarios.

Tip

Network rules are processed before application rules.

There are two SKUs for Azure Firewall:

  • Azure Firewall Standard: Thisprovides OSI layer three to OSI layer seven filtering, based on threat intelligence feeds directly from Microsoft. This enables Microsoft to feed Azure Firewall intelligence on known malicious IP addresses and domains to block these threats from accessing resources behind the firewall:

Figure 15.10 – Azure Firewall standard SKU capabilities

  • Azure Firewall Premium: This provides advanced threat protection for organizations that are highly regulated, such as financial and healthcare institutions. This SKUsupports Transport Layer Security (TLS) inspection of traffic to prevent malware and viruses from spreading across a network. It also supports URL filtering to include an entire URL and allow or deny a user access to websites by category, such as gambling sites and social media:

Figure 15.11 – Azure Firewall Premium SKU capabilities

The Azure Firewall Premium SKU offers the same features as the standard SKU and Premium features, such as TLS inspection and IDPS protection, to prevent the spread of malware and viruses across a network.

Note

Azure Firewall Manager can be used to centrally manage Azure firewalls across multiple subscriptions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Creating the load balancer – Configuring Load Balancing

2023-03-052023-03-05 Zoe PetersonCreating the load balancer – Configuring Load Balancing

Creating the load balancer Now, we can create the load balancer using the Azure portal [...]

Read MoreRead More

Azure Application Gateway – Configuring Load Balancing

2022-04-052022-04-05 Zoe PetersonAzure Application Gateway – Configuring Load Balancing

Azure Application Gateway Azure Application Gateway is a load balancing service that operates as a [...]

Read MoreRead More

Associating an NSG with a subnet – Securing Access to Virtual Networks

2024-06-042024-06-04 Zoe PetersonAssociating an NSG with a subnet – Securing Access to Virtual Networks

Associating an NSG with a subnet When it comes to deploying resources on virtual networks [...]

Read MoreRead More